Typically, use %q instead of %s (or instead of "%s"), to expose various control characters and the like without interpreting them.
This is not really comprehensive; the codebase makes no general guarantee that any returned string values are free of control characters or other malicious/misleading metadata. Not even in returned "error" values (which can legitimately contain newlines, if nothing else).
A side effect of the code audit required by CVE-2024-3727 .
Typically, use
%q
instead of%s
(or instead of"%s"
), to expose various control characters and the like without interpreting them.This is not really comprehensive; the codebase makes no general guarantee that any returned string values are free of control characters or other malicious/misleading metadata. Not even in returned "error" values (which can legitimately contain newlines, if nothing else).
A side effect of the code audit required by CVE-2024-3727 .